In a recent analysis, Palo Alto Networks Unit 42 researcher Chema Garcia revealed a targeted cyber threat affecting organizations in the Middle East, Africa, and the United States. The unknown threat actor is distributing a sophisticated backdoor named Agent Racoon, developed using the .NET framework. The malware exploits the domain name service (DNS) protocol to establish a covert channel, enabling various backdoor functionalities.
The victims, spanning across sectors such as education, real estate, retail, non-profits, telecom, and government, indicate a broad-ranging and coordinated attack. While the specific attribution remains unclear, the attack’s sophistication, victimology pattern, and utilization of advanced detection evasion techniques suggest a nation-state affiliation.
The threat campaign, tracked by Palo Alto Networks under the designation CL-STA-0002, has targeted diverse organizations, but details about the initial breach methods and the timeline of attacks are currently unavailable.
The attacker’s toolkit includes a customized version of Mimikatz named Mimilite and a novel utility called Ntospy. Ntospy employs a custom DLL module to act as a network provider, facilitating the theft of credentials to a remote server.
Agent Racoon, executed through scheduled tasks, conceals itself by masquerading as Google Update and Microsoft OneDrive Updater binaries. This backdoor allows the threat actor to execute commands, upload and download files, demonstrating a high level of sophistication in its capabilities.
The command-and-control (C2) infrastructure associated with Agent Racoon has been active since at least August 2020. Notably, the first known sample of the malware was uploaded to VirusTotal in July 2022.
In addition to Agent Racoon, evidence uncovered by Unit 42 indicates the use of successful data exfiltration from Microsoft Exchange Server environments, resulting in the theft of emails matching specific search criteria. The threat actor also harvests victims’ Roaming Profiles as part of their reconnaissance activities.
Despite the observed patterns, the researchers note that this tool set is not yet conclusively linked to a specific threat actor, and its deployment extends beyond a single cluster or campaign. The ongoing investigation highlights the need for continued vigilance and enhanced cybersecurity measures to counter such sophisticated and targeted attacks.
